Krebs on Security

In-depth security news and investigation

Who’s Behind The Styx-Crypt Exploit Pack?

Earlier this week I wrote about the Styx Pack, an extremely sophisticated and increasingly popular crimeware kit that is being sold to help miscreants booby-trap compromised Web sites with malware. Today, I’ll be following a trail of breadcrumbs that leads back to central Ukraine and to a trio of friends who appear to be responsible for marketing (if not also making) this crimeware-as-a-service.

As I noted in Monday’s story, what’s remarkable about Styx is that while most exploit kits are sold on private and semi-private underground forums, Styx has been marketed and sold via a regular Web site: styx-crypt[dot]com. The peddlers of this service took down their site just hours after my story ran, but versions of the site cached by archive.org hold some important clues about who’s responsible for selling this product.

At the bottom of the archived styx-crypt homepage, we can see two clickable banners for an account at virtual currency Webmoney to which potential customers of Styx will need to send money in order to purchase a license for the software. The Webmoney account #268711559579 belongs to a Webmoney Purse number Z268711559579. Follow that link and you’ll see that the registered username attached to that purse is “Ikar.” If we look closer we can see that Ikar’s Webmoney purse is connected to another purse at Webmoney account 317426476957, which is this purse belonging to a user named “Nazar.” (Update: July 11, 10:14 p.m.: Both Ikar and Nazar changed the names on their Webmoney accounts after this story ran. Thankfully, archive.org cached the old data. The links to the purses above have been changed accordingly.)

Both Ikar and Nazar are nicknames that were used in Styx sales threads on several underground forums, including damagelab[dot]org, secnull[dot]cc and antichat[dot]ru. In these threads, Ikar used the contact address “ikar@core.im“, while Nazar listed “nazar@hush.ai“. Both addresses are associated with forum accounts named “Ikar” and “Renzor” (for examples, see this cached, Google-Translated page from Renzor’s account on antichat.ru, and this cached page from secnull[dot]cc). Nazar’s address is linked to a “Max Lighter” profile on Facebook, but not much more information is available on that profile.

reality7solutions.com

Ikar@core.im doesn’t appear to be connected to anything special, but Nazar’s address was used as the point-of-contact in registering two very interesting domains: reality7solutions.com and uptimer.biz. Looking at the familiar wormhole-like squiggly at the top of reality7solutions.com, I noticed it was very similar to the rotating icon (youtube.com video) used by the Styx pack.

Reality7solutions.com’s homepage lists an address in the United States for a company called EPAM Systems, which according to the business directory maintained by Hoovers is a public company that specializes in IT outsourcing. Hoovers says the company provides “software development and other IT services to US and European customers primarily from development centers in Russia, Belarus, Hungary, Ukraine, Kazakhstan and Poland.”

I felt like I’d hit a dead end with Shangin, so I had a look at the other domain registered to nazar@hush.ai — uptimer.biz. This is a site designed to help companies monitor if and when their sites go offline for any reason. Its homepage features a clickable icon that takes you to Nazar’s aforementioned Webmoney account, Z317426476957. The site is registered to a Nazar Stodolya in Ukraine. A pair of job ads posted at free-lancer.net by a Nazar Stodolya using that same nazar@hush.ai address appear to have been seeking someone to help with the uptimer.biz site. But I suspect that Nazar Stodolya is just a pseudonym (taken from an old Soviet-era film by the same name).

The “KM” in Km.ua is the subdomain used by the Khmelnitsky region of central Ukraine (where our developer friend Shangin is from). Fonmax.km.ua is registered to a Maxim Gavryuk from Khmelnitksy. Max’s Livejournal blog, fonmax.livejournal.com, includes several photographs of him, and almost 100 blog posts spanning several years. Likewise, an account for “FonMax” at Russian developer forum ecomstation.ru lists a Maxim Gavryuk as its owner.

It turns out that Maxim and Stanislav Shangin (the designer of styx-crypt[dot]com) hang out socially and are friends; check out the following screen shot, from a post on Max’s LiveJournal blog from June 14, 2009 entitled, “Essay on How I Spent My Weekend, or Birthday Report.”

An image that appears at the top of blog posts about DDoS on both Max’s blog and an Antichat forum ad by Renzor

Back to Maxim (Ikar?) for a second: One of Max’s LiveJournal posts (via Google Translate) is particularly interesting. In Aug. 2011, Max posted about the Livejournal.com domain getting knocked offline from a denial-of-service attack (recall that uptimer.biz — one of two sites registered to Shangin’s buddy Nazar is a service designed to let you know if your site is offline). The post begins with the picture of a large security guard who looks like a bouncer. At the end of that blog entry, Max suggests that perhaps Livejournal should consider hiring someone to protect them from distributed denial-of-service (DDoS) attacks, and he mentions one operation in particular: antiddos.biz. He even offers to provide invite codes for those who are interested in the service.

If you didn’t take a look at the Renzor/Ikar’s post at antichat.ru that I linked to above, look at it here. Notice that the post was published around the same time as Maxim’s 2011 post about the LiveJournal outage, and begins with the same photo of the beefy security guard. In it, the poster is advertising “Reality Guard,” a “bulletproof hosting” service designed to protect companies from denial-of-service attacks.

This entry was posted on Wednesday, July 10th, 2013 at 12:01 am and is filed under A Little Sunshine, Breadcrumbs, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

At present, 189 countries are States Parties to the Treaty on the Nonproliferation of Nuclear Weapons, more commonly known as the Nuclear Nonproliferation Treaty or NPT. These include the five Nuclear Weapons States (NWS) recognized by the NPT: the People’s Republic of China, France, Russian Federation, the UK, and the United States.

Notable non-signatories to the NPT are Israel, Pakistan, and India (the latter two have since tested nuclear weapons, while Israel is considered by most to be an unacknowledged nuclear weapons state). North Korea was once a signatory but withdrew in January 2003. The legality of North Korea’s withdrawal is debatable but as of 9 October 2006, North Korea clearly possesses the capability to make a nuclear explosive device.

It’s always going to be a battle to keep up with this type of criminal behavior, especially if it is run from countries that are less likely to do anything about it.

The problem with this is that the world economy in the state it currently is in, many who would not practice this type of activity are turning to crime in order to go about their daily lives.

These people are willing to risk it all for a chance at financial wealth at the cost of others. Its sort of like the scientific process at the casinos. The small amount of players that are able to come out of the casino with other people’s money, whether through legit winnings or by manipulation of the process, its a select few that are willing to risk it all.

I read the daily Homeland Security briefing each day. I see A LOT of crooks caught, given sentences and such. The thing that boogles my brain is that in most instances, what is recovered is close to one-tenth of what was made. What does that mean? I think the people who get caught, may sit in a cell for say 3-5 years MAYBE, and then walk out as millionaires. The stolen money gains interest, and they are even richer.

Brian, there are two interesting reads in the July 9th Homeland security report. One was three crooks tried using fake Credit cards at establishments and got caught. they had another 140+ in their possession to try. I wonder how many were created through this “new process” on another story in the DHS report;

That may be old news to the users of the underworld, but its coming to the surface. It only makes sense that alot of these will be offered at low prices and while this world wide economic situation stays the same or worsens, the people who are desperate will typically take risks, and may plunge into this type of play.

I’d say it’s far more likely that, rather than sitting on 90% of the wealth they’ve stolen, they’ve actually spent 90% of that wealth. People who are barely breaking even who come into large sums of money have a very hard time not spending it just as fast as it comes in. Look at lottery winners for an example, most invest a tiny fraction of the wealth received and spend the rest, with many ending up bankrupt because what they saved isn’t enough to pay property taxes, registration, etc. for their new toys.

I didnt say they kept 90% of the cash for themselves. I said what was recovered may have been 10% of what was made by them.
Whatever is left is allowed to grow interest IF it is put some where safe and untouchable.

That means, the process in which it takes to bring these crooks down is slow and lethargic. Its not until they either have overwhelming pressure, or overwhelming evidence is something done about it.

Lottery winner are a separate issue, at least that has some legitimacy to it.

Who you calling Bro? You ain’t my brother – your MAY be a potential enemy in this topic.

I for one do not stir up a hornet’s nest as many can come at once, but et me say this, If you are “one of them” it’s only a matter of time. If you are one of them, many sit back and collect illegal funds and continue to do so far beyond becoming rich.

Why? I do not understand why people are so sour. You have a crappy life and want to make people pay for your misery?

You have the same chances as all others in this world. If people hate where they are they can move. All it takes is a little motivation to do so. Motivation in a good way. Working for a living sucks, but I am sure – soon enough, you will no longer have to keep looking over your shoulder to see if the Feds are nearby.

As criminal activity becomes bolder, the pressure on the government becomes too great and the door opens for the Feds to knock down doors. Once one door is down, others go down easier. I am sure Brian would appreciate a candid interview why the criminals have to push way beyond rich.

Great article however Mr Krebs should have included a flowchart so that readers could follow the tracking better. It get’s a little confusing towards the middle , so I have to re-read the whole thing again and write down his online tracking of these two individual to better clarify the scope of the article.
.

Thanks for posting the site “achive.org”. Now that’s a real good online deep web search tool

I support the flowchart idea too! Plus Mr Krebs may be able to create a sort of super detailed mind map for related stories or maybe even a timeline which would show activities of common ne’er-do-wells. That would be interesting and useful, maybe a pattern can emerge that could help catch them?

P.S. Webmoney BL is a Business Level counter. One needs to sell a lot of e-stuff (sales volume more than a 500 000 – 1 mln. $) to get Max’s BL > 303, that’s cool level. Nazar has BL 112 – typical level for experienced web designer with 10 years of experience.

I assume, every agency in the world is able to register who’s following the blog of Brian Krebs. You could find Krebs blog, you were able to read his article and react to it. So why do you want us to translate your russian message?

To be able to find our IP-address when we are trying to translate the pre arranged message?

I stand corrected.
It didn’t come to me, somebody would use e.g. Tor to look up a text or to read this blog…

And I am sorry that my knowledge of the Russian language is almost nihil.
I have translated the Russian part of your answer to me. I understand that those Russian parts are ment for well educated people like mr. Krebs. Don’t correct me if I am wrong. It just proofs that I am really a ‘Durki’, whatever that means…

You welcome . Mind you , sometimes if helps if you think before you make an assumption /statement . And by the way ‘Durki’ — дурак means — fool, simpleton, idiot (stupid person with poor judgment) or a simple card game .

…that Digital Sky Technologies bought them around 2010. DST, the company believed to be Russian mob or something close to it, owns the obsolete network many Eastern European and Russian crooks are using for their operations. Probably just a coincidence but an interesting connection anyway.

@ bpo. В чужо́м глазу́ сори́нку заме́тно, а в своём — бревна́ не вида́ть. Вы́ше головы́ не пры́гнешь.
Cybernetics in Russia, You’re eating yourselves.
Berg: Kibernetiku-na sluzhbu kommunizmu 1961 . for those who speak English I don’t believe there is an translation of the paper.
@ IA Eng. Russian and Ukrainian hackers don’t even realize they are helping the cartels and doing the work for free. Every time they gather information or break into something they are middle manned, even if they use their own servers. Even grandma can dig up fiber cables, no? They’ve done it to other hackers, too, who thought servers outside government intrusion/control are safe. Глаза́ боя́тся, а ру́ки де́лают.
@Just_me- I recommend reading ‘Crime and Punishment’ (cliff notes if you like) it’ll give you a peak into the eastern bloc mind set.

“@ IA Eng. Russian and Ukrainian hackers don’t even realize they are helping the cartels and doing the work for free. Every time they gather information or break into something they are middle manned, even if they use their own servers. Even grandma can dig up fiber cables, no? They’ve done it to other hackers, too, who thought servers outside government intrusion/control are safe. Глаза́ боя́тся, а ру́ки де́лают. ”

No amount of whining about making other people rich is going to make these operations legitimate or acceptible. It stinks to high heaven and people have that as an acceptible way of life.

And that is justification to keep to doing what you are doing? Common, Its just like the 1930’s mafia movies in the USA. The Mob sends in the thugs and they businesses have to pay insurnace money or have the business suffer great loss. Its now almost 100 years later and other countries are still doing the same thing.

The system to CLEAN this cesspool of evil activity is broke. And it will remain broke for a very long time until countries decide to clean it up. People blame “Amer” for things not related to the issues, when all they are is jealous. Only thing I see you can bitch about Amer for is that we will act on this, and force other countries to do same. The thoughts to hate others is like the band wagon…….. people hate things because the thought is passed around like a cheap bottle of vino.

Every country (and about everyone in them) have issues. That does not mean to fall into the pit and become one of them. All these evil forums/people produce are things to try and see if the Feds can catch the activity. If the Feds do not, then the middle men use them until they are not too good anymore. Then they pass them onto others to make a profit. In the end some one gets stuck with the useless goods.

I do not know it all. I have earned what I have and worked very hard to get where I am today. I am vigilant and try to do my best to keep what is mine. Others out there across the world seem not to care – but that does not make theft of any type the “right” thing to do.

These people have opportunity to go to another country and make the most of it on the good side. Many of these people have talent and no doubt in the right place, can make legitimate cash. Instead they consider the condition they are in is the best it can be. That is the wrong way to think. You accept defeat.

Governments do it all the time. If you do the same as a citizen then you are called a criminal. So a criminal is a citizen who is behaving like a government…

But sometimes a government has to decide, pragmatically otherwise they loose their power, to insure the citizen some freedom. A healthy society is build on trust and peace. It’s also more productive and the members of the government can live in freedom and security as well.

So some kind of privacy is granted to them to insure no member of their apparatus is able to use private information to set up a scheme to enrich itself.

But when a government becomes in decline and is ‘robbing’ their own people for their own wellbeing, they are getting lots of enemies. To defence theirselfs they have to give up the privacy, granted in better times.

That’s what is happening in this Era. It’s a wave motion. In a few years other people, irritated with the current behaviour of governments, will restore the privacy and by that secure the means of a healthy and productive society.

BTW somebody who has done nothing wrong, isn’t scared about being attacked.

I just wanted to draw the big picture. The reason why all you wrote is happening.

I am somebody who likes to act as a good citizen. Because on the long run it’s the most profitable.
But you have to respect the reasons why some people become ‘misaligned’.
I don’t agree with the way they doing it. My blood also boils, like any mentally healthy human, when somebody did me wrong. But you always have to look futher. Why are they doing it? When you gain that knowledge you can either correct them so they will fit in or use their talents for your own plans 😉

That last method, that’s were you were writing about…

It maybe didn’t make any sense to you but my intentions were good.
My apologizes to you.

@Go Bro thanks, I already read it (in original:). and I agree with your point, this book deeply shows ‘eastern bloc mind’. this author is very ‘russian’ at all. but what about hackers I believe their ‘eastern’ minds are exaggerated a lot. they overdo with it – like in comments above

I call BS. There’s been enough investigation into and reporting on actual Eastern Bloc criminals to know that most are just opportunists doing it for the money. And those making decent money try often get into materialistic lifestyles too. That’s quite the opposite of the higher motives Dostoyevsky alluded to.

Hey Brian, you must’ve hit a nerve with some of your Russian-speaking fans/readers/”well-wishers”…

My ears perked up when I came across the name of EPAM. We’ve dealt with them before, they did a pretty good job, but it’s not clear what their alleged connection to this whole thing is… Could you clarify?

It doesn’t help that cybercriminals have shown themselves to be extremely poor at covering their tracks. They’re the ones leaving the breadcrumbs behind. Crying because someone finds your breadcrumbs doesn’t make them the bad guy, or stupid, or whatever ridiculous assertion you’re trying to make.

These guys must be either loosers or protected if it is so easy to track them. BTW also interesting to see that most Russia-related cybercriminals use ICQ – a messaging tool which is not only a security nightmare by desing but also run by ex-KGB folks with ties to the russian government. So the conclusion is that these guys are simply not affraid of being caught, and they are probably right.